The Department of Defense has been lauded as the first agency in the federal government to institute a bug bounty program. While limited in scope as compared to private-sector programs, Hack the Pentagon, as it’s known, sought to invite vetted hackers into its doors with the aim of discovering vulnerabilities within their websites and systems.
Since then, many security experts have expressed the need for similar programs to take place within the other federal agencies.
Mike Chung, who helped run Hack the Pentagon for DoD within the Defense Digital Service, now works at Bugcrowd, a vulnerability assessment company and is looking for more federal agencies to institute bug bounty programs. He talked to Fifth Domain about the challenges of wide-scale government adoption.
Fifth Domain: What are the obstacles to bringing bug bounty programs to other agencies and the larger federal government?
Mike Chung: The idea of running bug bounty programs is still new in the federal space. During my time running Hack the Pentagon, we learned a lot about how to better implement these programs at other agencies and organizations. Initial challenges faced concerned the comfort level of bringing in outside researchers to evaluate applications and systems for exploits, but that isn’t as much of a concern anymore. With new exploits surfacing every day, most organizations are constrained by a lack of resources. Leveraging a crowd of researchers is an effective approach that every agency should turn to.
Fifth Domain: What lessons can be learned from the Hack the Pentagon program and associated bug bounties with the services?
Chung: Partnering with premier vendors that provide valuable services and products can help agencies scale their security needs. There are not enough resources for an agency to do this alone. The economics make sense. Cost is a factor when selecting a vendor, and can be something that wasn’t taken into consideration when initial contracts were set up. Also, not all contractors are created equal and it’s important to understand what you’re paying for and how the bounties are laid out.
Fifth Domain: How important to overall security is instituting a bug bounty program within other federal agencies?
Chung: It’s a must. I would also recommend implementing a continuous vulnerability disclosure program (VDP) to get the full breadth of assessing exploits and vulnerabilities. Programs like these have been around a few years in the private sector and it’s absolutely necessary for federal agencies to have these programs in place. It’s not a major investment compared to other security services out there, and it’s important to leverage the knowledge of professional researchers to reduce the damage done by enemy hackers today.